UPDATED 22:29 EST / DECEMBER 18 2016

APPS

Research finds WordPress security flaws exist but not as bad as thought

A new study has found that while Automattic Inc.’s WordPress content management system continues to have security flaws, they’re not as bad as commonly thought.

German security firm RIPS Technologies GmbH analyzed all 47,959 plugins that are available from the official WordPress repository using its static code analyzer and found that only 8,800 of the plugins had at least one vulnerability in them.

Where the figures do become somewhat concerning is with what the company describes as “larger plugins,” that is plugins with more than 500 lines of code. Of 10,523 larger plugins, 4,559 of them, or 43 percent of them, contain at least one medium severity issue, such as cross-site scripting.

Of all plugins analyzed, nearly 36,000 did not have any vulnerabilities at all while 1,426 had only low severity flaws. Medium severity bugs were identified in more than 4,600 plugins, while high severity bugs and critical issues came in at 2,799 and 41 plugins respectively. Those plugins found to have security issues tended not to have single vulnerabilities, with a total of 67,486 vulnerabilities discovered in the plugins analyzed.

Cross-site scripting was the most common vulnerability coming in at 68 percent of those found, followed by 20 percent of plugins allowing for potential SQL injections. Some of the most common WordPress plugins targeted by attacks were found to be

  • Revolution Slider
  • Beauty & Clean Theme
  • MiwoFTP
  • Simple Backup
  • Gravity Forms
  • WordPress Marketplace
  • CP Image Store
  • WordPress Download Manager

RIPS security researcher Hendrik Buchwald said there was a reason to be calm on the findings as the results are far less than could have been the case.

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them.

Buchwald recommends that WordPress users install only plugins that they really need, keep all plugins up to date and choose strong passwords.

Image credit: Maxpixel/Public Domain CCo

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.